Target warned consumers Thursday to monitor their statements for unauthorized use following a massive data breach involving 40 million credit and debit cards used in its stores between Black Friday and Dec. 15.
The information obtained included customer name, credit or debit card number, and the card's expiration date and the three-digit security code, known as the CVV, on the back of cards, the retailer said.
Target spokesman Eric Hausman confirmed it has "no indication that debit card PINs were impacted."
Data breaches of this sort appear to be a growing problems among retailers. Along with a well-publicized and highly litigated case in 2006 involving 46 million shoppers at TJX's stores, Michael's, Stop & Shop, Aldi and Subway has been hit with similar breaches in recent months.
Increasingly sophisticated fraudsters can replace checkout line credit and debit card readers with ones that wirelessly transmit data to banks but also the criminals. But breaches as large as Target's, reported to involved some 40 million cards, are more likely to involve network or software breaches, perhaps when an employee of the company or a contractor provides access to the "back door" of the system, says longtime retail crime expert Joe LaRocca, former head of loss prevention for the National Retail Federation.
The access can be done intentionally or unwittingly, says LaRocca.
"In my opinion, someone found a way to manipulate the system to extract the numbers," says LaRocca, founder of RetaiLPartners, a loss prevention consulting company. "When a network intrusion occurs, typically a vulnerability is discovered and may involve some Inside collusion. Someone opened the back door or carelessly left the back door open" by not using proper security practices.
Target said it began investigating the incident as soon as it learned of it, but didn't disclose when that was. The problem was first reported on a blog by security experts and former reporter Brian Krebs.
A third-party forensics firm is working with Target to investigate the incident and to determine what else the retailers can do to prevent the problem in the future.
Retailers are struggling to stay ahead of the criminals in this area, experts say.
"The Target situation illustrates the growing problem with identity theft, which is how ordinary folks are often the real targets of hackers who go after these big companies," says Adam Levin, chairman of Identity Theft 911 and Credit.com. "No matter how safe any individual person is with their data, customer databases like Target's represent a nearly irresistible source of people's personal information -- and their hard-earned money -- to hackers than going after individuals one by one."
How to prevent and detect card fraud:
•Regularly review credit card and bank statements for possible misuse.
•Monitor free credit reports.
•Report suspicious activity to credit card companies or financial institution immediately.
• Contact the Federal Trade Commission or law enforcement with any reports of identity theft or to learn about steps you can take to protect yourself from identity theft.
•Get credit reports from each nationwide credit reporting agency. You can get one free a year from each of these under law: Experian, TransUnion and Equifax. Request that any fraudulent transactions be deleted.
Consumers concerned about this type of thing happening to them can place a fraud alert on their credit report file to help protect their credit information, says Lisa LaBruno, senior vice president of retail operations for the Retail Industry Leaders Association.
Fraud alerts can make it more difficult for someone to get credit in the consumer's name because it tells creditors to follow certain procedures to protect the consumer. As soon as the credit reporting agency processes a fraud alert, it will notify the other two agencies, which then must also place fraud alerts in the consumer's file. Doing this, however can delay a consumer's ability to obtain credit.
"This sort of hacking is absolutely on the rise, as the tools are more readily available for even novice hackers to utilize in their efforts to crack open companies' computer systems," Levin says. "With a data breach of this type, the rewards -- your money -- are so great that it can only continue to increase."